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Abstract — We define a special class of hybrid automata, called 
Deterministic and Transversal Linear Hybrid Automata (DTLHA), 
whose continuous dynamics in each location are linear time- 
invariant (LTI) with a constant input, and for which every 
discrete transition up to a given bounded time is deterministic 
and, importantly, transversal. For such a DTLHA starting from 
an initial state, we show that it is possible to compute an 
approximation of the reach set of a DTLHA over a finite time 
interval that is arbitrarily close to the exact reach set, called 
a bounded e-reach set, through sampling and polyhedral over- 
approximation of sampled states. We propose an algorithm and 
an attendant architecture for the overall bounded e-reach set 
computation process. 

Index Terms — Linear system, hybrid automata, reachability, 
transversality. 



I. Introduction 

DYNAMIC systems which exhibit both continuous state 
evolution and discrete state transitions can typically be 
modeled as hybrid automata (HA) ((TJ, 0). Computing the 
reach set of a hybrid automaton from a given set of initial 
states is a problem of fundamental importance as it is related 
to safety verification and automated controller synthesis. Even 
though many systems can be so modeled, it is in general 
undecidable to compute the exact reach set (J) except for 
classes of hybrid automata whose continuous dynamics are 
fairly simple, such as timed automata (TA) [4| and initialized 
rectangular hybrid automata (IRHA) Q. Neither of these 
automata allow the standard linear systems dynamics which 
is widely used for control systems. To broaden the class of 
systems that can be addressed, research in hybrid system 
verification in the recent years has focused on algorithms 
computing over-approximations of the reach set for various 
classes of hybrid automata (EI,|§|,EZ],QD,GD,(I2I.(II], 
ifTSl l. However, even with this relaxation from exact reach 
set to over-approximations, it is still a challenging problem 
to compute an over-approximation of the reach set of hybrid 
automata with linear dynamics with arbitrarily small approxi- 
mation error and a termination guarantee for the computation. 
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A. Related Work 

For the computation of reach set of hybrid automata with 
linear dynamics, several tools and approaches have been pro- 
posed in the literature. As an example, HyTech |5| computes 
the reach set of hybrid automata whose continuous dynamics 
are more general than those of IRHA by translating the original 
model into an IRHA if the model is clock translatable. Oth- 
erwise, an over-approximate reach set is computed through an 
approach, called linear phase-portrait approximation, which 
approximates the original hybrid automaton by relaxing the 
continuous dynamics of the original automaton. PHAVer [6] 
can handle a class of systems called linear hybrid automata 
that have affine dynamics. It computes a conservative over- 
approximation of the reach set of such hybrid automata 
through on-the-fly over-approximation of the phase portrait, 
which is a variation of the phase-portrait approximation in [5|. 
Recently, another tool, SpaceEx, has been developed based 
on the algorithm called LeGuernic-Girard (LGG) algorithm 
lfT3ll which allows the handling of hybrid automata with linear 
differential equations with a larger number of continuous 
variables compared to other approaches. 

In 0, a class of hybrid automata, called polyhedral- 
invariant hybrid automata (PIHA), is defined and an algorithm 
is proposed to construct a finite state transition system, which 
is a conservative approximation of the original PIHA. Deter- 
mining a polyhedral approximation of each sampled segment 
of the continuous state evolution between switching planes is 
the underlying fundamental technique in the algorithm that is 
used. Another approach proposed in [9] is also based on the 
idea of sampling and polyhedral over-approximation of contin- 
uous state evolution of a continuous linear dynamics. On the 
other hand, in [10] and [8], ellipsoids and zonotopes are used 
respectively for approximating continuous state evolution. 

However, while these algorithms and tools compute some 
over-approximation of the reach set of hybrid systems with 
linear dynamics, computation of an over-approximate reach 
set which is arbitrarily close to the exact reach set of such 
hybrid systems with guaranteed termination remains an open 
issue for further research. 

B. Challenges and Contributions 

In general, the key challenges in reach set computation of 
HA are (i) to over-approximate the exact continuous flow 
with arbitrarily small approximation error, (ii) to determine 
when and where a discrete transition occurs, and (iii) to 
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develop a reach set computation algorithm with termination 
guarantee. In this paper, we address the problem of computing 
an over-approximation of the reach set of a special class of 
hybrid automata, called Deterministic and Transversal Linear 
Hybrid Automaton (DTLHA), starting from an initial state 
over a finite time interval. We call such an over-approximate 
reach set as a bounded e-reach set. Our approach can be 
related to other approaches that use sampling and polyhedral 
over-approximation as in Q, (9). The main contributions 
of our approach are as follows: (i) We show that an over- 
approximation of the reach set of a DTLHA can be computed 
arbitrarily closely to the exact reach set. (ii) We also show 
that such computation is guaranteed to terminate under a de- 
terministic and transversal restriction on the discrete dynamics, 
(iii) Furthermore, to facilitate practical computation, we extend 
these theoretical results to consider the numerical calculation 
errors caused by finite precision calculation capabilities. Based 
on the theoretical results, we propose an algorithm to compute 
a bounded e-reach set of a DTLHA, as well as a software 
architecture that is designed to improve the flexibility and the 
efficiency in computing such an over-approximation. 

The paper is organized as follows. In Section [H] we in- 
troduce definitions and notations that are used throughout 



\JCi = X, ci 



nc° = 



for i ^ j, 



(1) 



this paper. In Section III we show that, for arbitrarily small 
e > 0, a bounded e-reach set of a DTLHA starting from 
an initial state can be computed under the assumption of 
infinite precision numerical calculation capabilities. In Section 
|IV| we first derive a set of conditions for computation of 
a bounded e-reach set, and then extend these conditions to 
consider errors caused by finite precision numerical calculation 
capabilities. In Section |VJ we propose an algorithm for a 
bounded e-reach set computation, as well as an architecture for 
software implementation of the proposed algorithm. Finally, 
we illustrate an example of bounded e-reach set computation 



in Section VI followed by concluding remarks in Section VII 



II. Preliminaries 

Let X C K™ be a continuous state space over which a hybrid 
automaton is defined. For a polyhedron C C R n , we denote its 
interior by C°, and its boundary by dC. We will also use the 
notation B r (x) to denote a closed ball of radius r with center 
x, i.e., B r (x) := {y G M" : \\y — x\\ < r}. The specific norm 
that we use in the definition of B r (x) as well as the sequel 
is the ^oo-norm. Since we are using the ^-norm, B r {x) is a 
hypercubic neighborhood of x. One of the advantages of using 
the ^oo-norm is that the induced hypercubic neighborhood is 
easily computed. More generally, a hypercube is a special 
case of a polyhedron, which is important since it is easy to 
propagate the image of this set under linear dynamics. This 



is useful in Section III when we describe our approach for 
bounded e-reach set computation. 

We now describe the class of hybrid automata considered. 
We assume that A" is a closed and bounded subset of Euclidean 
space, and is partitioned into a collection of polyhedral regions 
C := {C u ■ ■ ■ , C m } such that C? ^ for each i G {1, • • • , m} 
and 



where m is the size of the partition, and each Ci is a 
polyhedron, called cell. Two cells Ci and Cj are said to be 
adjacent if the affine dimension of <9C, ; n dCj is (n — 1), or, 
equivalently, cells Ci and Cj intersect in an (n— 1) -dimensional 
facet. Two cells Ci and Cj are said to be connected if there 
exists a sequence of adjacent cells between Ci and Cj. 

Definition 1. An n-dimensional Linear Hybrid Automaton 
(LHA)j^jii a tuple (L, Inv, A, u, -^>) satisfying the following 
properties: 

(a) L is a finite set of locations or discrete states. The state 
space is L x W 1 , and an element (I, x) G L x R™ is called 
a state. 

(b) Inv : L — » is a function that maps each location to a 
set of cells, called an invariant set of a location, such that 

(i) for each I € L, all the cells in Inv(l) are connected, 

(ii) for any two locations I, V e L, Inv(l)° C\Inv(l')° = 0, 
and (iii) (J ;gL /m;(Z) = X. 

(c) A : L — > R nXTl is a function that maps each location to 
an n x n real-valued matrix, and 

(d) u : L — > R™ is a function that maps each location to an 
n-dimensional real-valued vector. 

(e) — >: (W 1 , L) x (R™, L) is a binary relation which defines a 
discrete transition from one state (x%,li) to another state 
(x2,h) such that (xi,l\) — > (x2,h) when G is satisfied 
and X2 is set to X\ after a discrete transition. 

In the sequel, for each k € L, we use Aj, u,-, InVi to denote 
A(li), u(li), and Jnu(Zj), respectively. 

An example LHA which satisfies Definition [T] is shown in 
Section |VI-A| Next, we define the behavior of LHA. 

Definition 2. For a location li G L, a trajectory of duration 
t G M + for an n-dimensional LHA A is a continuous map n 
from [0,t] to R", such that 

(a) T){t) satisfies the differential equation 



T)(t) = Ain(r) + Ui 
(b) t}(t) G InVi for every t G [0,t]. 



(2) 



Definition 3. An execution a of an LHA A from a starting 
state (Zq, xq) G L x WL n is defined to be the concatenation of a 
finite or infinite sequence of trajectories a = r\Qr\\r\2 ■ ■ ■, such 
that 

(a) 7? (0) = x , 

(b) n k (Q) = rik-i^k-i-dur) for k > 1, 

'in the hybrid system literature fj], |14| the word "linear automaton" 
has been used to denote a system where the differential equations and 
inequalities involved have constant right hand sides. This does not conform 
to the standard notion of linearity where the right hand side is allowed to be a 
function of state. In particular, it does not include the standard class of linear 
time-invariant systems that is of central interest in control systems design 
and analysis. We use the term "linear" in this latter more mathematically 
standard way that therefore encompasses a larger class of systems, and, more 
importantly, encompasses classes of switched linear systems that are of much 
interest. 
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Fig. 1. A deterministic and transversal discrete transition from a location £; 
to a location lj occurring at xij^) S dlnv(li) n dlnv(lj). 



where % represents a trajectory defined at some location 
( 6 L and r]k-dur denotes the duration of rjk- We also define 
a.dur :— rjk-dur where a.dur denotes the duration of an 
execution a. 

We can represent an execution a of an LHA A from 
an initial condition {Iq,xq) £ L x R™ for time [0,t] as a 
continuous map x : [0, t] — > R. n such that (a) £ = a.dur, 
(b) a;(0) = x £ Irwo, (c) x(r fe ) = r?fc(0), and (d) jc(t) = 
r] k -i(T - Tfe_i) for t € [r fc _i,T fc ], where t = 0, and 
Tfc = 53j=o Vi-dur for fc > 1. Note that Tfe for k > 1 
represents the time at the fc-th discrete transition between 
locations and the continuous state is not reset during discrete 
transitions. 

Definition 4. For an execution x(t) of an LHA, a discrete 
transition {xi,l{) — > (xj,lj) occurs if Xi — x(r') for some 
time t' , x{t') £ InViHlnVj and x(r') = lim T/ * r < x(t) where 
x(t) £ (Invi)° for r € (r' — 8, r') for some 8 > 0. 

Definition 5. A discrete transition is called deterministic ;/ 
there is only one location lj £ L to which a discrete transition 
state x(rk) can make a discrete transition from l^. We call 
a discrete transition a transversal discrete transition there 
exists e > such that 

(±i(T k ),ni) > e A (xj(T k ),n t ) > e, (3) 

where (x, y) denotes the inner product between x and y, fti 
is an outward normal vector of dlnvi at x(rk), and Xi(jk) = 
Aix(rk)+Ui, and Xj(rk) — Ajx(jk)+Uj are the vector fields 
at x(rfe) evaluated with respect to the continuous dynamics of 
location Zj and lj, respectively. 

Fig. [T] illustrates a case where x(Tk) satisfies such a de- 
terministic and transversal discrete transition condition. Note 
that if x{tu) satisfies a deterministic and transversal discrete 
transition condition, then x(rk) must make a discrete transition 
from a location l{ to the other location lj, and lj has to be 
unique. Furthermore, the Zeno behavior, an infinite number 
of discrete transitions within a finite amount of time, does not 
occur if a discrete transition is a transversal discrete transition. 

We now define a special class of LHA whose every discrete 
transition satisfies the deterministic and transversality condi- 
tions defined in Definition |5] as follows: 

Definition 6. Given an LHA A, a starting state (Iq, xq) £ Lx 



X, a time bound T, and a jump bound N, we call an LHA A 
as a Deterministic and Transversal Linear Hybrid Automaton 
(DTLHA) if all discrete transitions in the execution starting 
from xq up to time tt := min{T, rjy} are deterministic 
and transversal, where r^r is the time at the N-th discrete 
transition. 

Next, we define the bounded reach set of a DTLHA and its 
over-approximation as follows: 

Definition 7. A continuous state in X is reachable ;/ there 
exists some time t at which it is reached by some execution x. 

Definition 8. Given a state xo and a time t, the bounded reach 
set up to time t, denoted as TZ t {xo), of a DTLHA A is defined 
to be the set of continuous states that are reachable for some 
time t € [0,t] by some execution x starting from xq £ Iuvq. 

Definition 9. Given e > 0, a set of continuous states S is 
called a bounded e-reach set of a DTLHA A over a time 
interval [0,t] from an initial state x$ iflZ t (xo) C S and 

d H (K t (x ),S) <e, (4) 

where dniVyQ) denotes the Hausdorff distance between 
two sets V and Q that is defined as du(V, Q) '■= 
max{sup peP inf geQ d(p, q),sup qeQ mf pe -p d(p, q)} where 
d(p,q) ■= \\p- q\\. 

In the sequel, we use D^V) to denote the set of states 
reached at time t from a set V at time 0. Similarly, for the 
set of reached states over a time interval [iijta) from V, we 
use "D[t 1 ,t 2 ){'P)- We also use T>t(V,y) to denote an over- 
approximation of T) t {V) with an approximation parameter 
7 > 0, calling it a 7-approximation of D t {V) if it satisfies 
(i) V t {V) C V t (V,i) and (ii) d H (V t (V), V t (V n )) < 7. 
Note that D^V^) is simply a 7-approximation of the set V. 

III. Bounded e-Reachability of a DTLHA 

In this section, we consider the problem of a bounded e- 
reach set computation of a DTLHA starting from an initial 
state over a finite time interval. More precisely, we show 
that, for any given e > 0, a DTLHA A, an initial condition 
(Z , xo) £ L x X, a time upper bound T £ M + , and a discrete 
transition upper bound N £ N, it is possible to compute a 
bounded e-reach set of A over a finite time interval [0, tf] 
under the assumptions that the following computations can be 
performed exactly: (i) x(t) = e At xo + L e A ^~ s ^uds, (ii) the 
convex hull of a set of finite points in M 71 , and (iii) the 
intersection between a polyhedron and a hyperplane, where 
t f is as defined in Definition g A £ R nxn , and u £ W l . 

A. Bounded e-Reach Set of a DTLHA at Initial Location 

We first show how a trajectory of a DTLHA can be 
over-approximated through sampling and polyhedral over- 
approximation of each sampled state. The basic approach for 
such over-approximation is shown in Fig. [2] It is necessary 
that, for a given size of over-approximation of each sampled 
state, a sampling period h has to ensure that a trajectory x(t) is 
contained in the computed set of polyhedra. For a given value 
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of e > 0, we now show how we can determine a sampling 
period ft which guarantees that. 



max \\x(t + t) — x(t)\\ < e 

re[0,h] 



\/x(t) £ X. (5) 



To determine a suitable value of ft which results in Q, we 
suppose x(s) € (Invi)° for all s£ [t, t + h] for some location 
li € L. Then for a given E», A", and x(s) £ A", we have 



max ||x(s)|| = max llvlixfs) + uAl 
s&[t,t+r] «e[t,t+T] " w 

< max {11^11^(5)11 + 11^11} 

s€[t,t+r} 

< \\A t \\x+\\ Ul \\, (6) 

where x = max l6 ^ ||x||. 

For a fixed r £ [0, ft], we can compute an upper bound on 
\\x(t + t) — rr (i ) 1 1 as follows: 



||x(t + r)-x(i)|| < 



t+T 



|x(s)||ds 



< 



< 



t+T 



max ||x(s)||<fs 

se[t,t+r] 



t + T 



\ui\\)ds 



= (HAillx+lluilOr. (7) 
Maximization of both sides of |7]l over r € [0, ft] gives us 

max \\x(t + t) - x(t)\\ < (\\AA\x, + \\ui\\)h 

re[0,h] 

< max(||A i ||x+ ||tti||)ft. (8) 

If we upper bound the right hand side by e > 0, then we 
can choose 



ft< 



where v := maxj. e L(||^4i||x - 
So, if we choose ft as 



v 

INI 

6/2 



(9) 



(10) 



then it is clear that we can ensure (15}. 

We now show that, for a given e > 0, if a sampling 



period ft satisfies (10 1, then a set constructed as a union of 
e-neighborhood of each sampled state along a trajectory is 
indeed a bounded e-reach set at an initial location. Moreover, 
such a bounded e-reach set contains the bounded reach set 
not only from the initial state but also from the (e/2)- 
neighborhood of the initial state. 

Lemma 1. Given e > and a time bound T > 0, a bounded 
e-reach set T&t,(xa,e) of a DTLHA A from an initial state 
(xq,Io) can be determined as follows: 



K tf {x ,e) := [J B e (x(kh)), 



(11) 



k=0 



where tt := min{ri,T}, T\ := inf{i £ (0, T] : x(f) £ ItivqN 
x(0) = xq}, m := [t//ft] ant/ ft = (e/2)/ max/. e L(||^4i||x + 
||uj||). Moreover, this set has two additional properties: 



Be(as(h)) 

-i3 e (^(0)>- 
x(0) 





-ft) a^W 


x(f - 


r-ft) 

^ 












r T~ 

B £ (x(«) 


) B £ (a:(t + h)) 



Fig. 2. An over-approximation of a trajectory x(t) through sampling. 



(i) \im e ^ TZ tf (x ,€) =TZ tf (x ), and 

(ii) It contains an e/2 neighborhood of lZt f {xo), i.e., 



u 



B e / 2 (z) C ^(io.e). 

z£7l tf (x ) 

Proof: Since ft satisfies ([9j, it is easy to see that 
7Zt f (xo) C lZt f (xo,e) from the construction of lZt f (xo,e). 
Next, by the relation between e and ft in ( [10| , it is clear that 
ft —> as e — >• 0. This implies that 7Zt f (xq, e) — > lZt f (xrj) as 
e4 0, establishing (i). For (ii), as noted above, ( fT0| ) actually 
chooses half the sampling period that would have sufficed to 
make it a bounded e-reach set over [0, tf]. Hence, replacing 



e by e/2 in the right hand side of (Hi still yields a bounded 
e-reach set. Thus the over stringent choice of ft contains not 
just lZt f (xo) but actually all points that are within a distance 
e/2 from it. ■ 

B. Continuity Property of DTLHA 

Now let us consider the problem of computing a bounded 
e-reach set of a DTLHA A not from an initial state xq but 
from a ^-neighborhood of Xq. We first show that there exists 
a S > such that the bounded reach set of a DTLHA A from 
a set Bs(xq) at an initial location Iq is contained in a bounded 
e-reach set of A from xo defined in (jTTJl. 

Lemma 2. Given e > 0, a time bound T > 0, an initial state 
Xq, and a DTLHA A, there exists a 8 > such that 



llt f (Bs(x )) C TZ t/ (x ,e), 



(12) 



where Bg(xo) is a 6 '-neighborhood around xq and 
1Zt,(B§(xa)) is the bounded reach set of A from B$(xq) up 
to time t f and t f is as defined in Lemma [7] In particular, 
7tt f (B e /(2C)( x o)) Q Tttf {xq, e) for an appropriate C. 

Proof: Notice that x(t) = e Aot x + J * e Ao{t ~ s) u ds, 
where Aq and uo define the linear dynamics in an initial 
location Iq. If we consider two different initial states xq and yo 
in Bs(xq), then their trajectories x(t) and y(t) satisfy x(t) — 
y(t) = e At {x ~ y ). Hence \\x(t) - y(t)\\ < ce xt \\x Q - y \\ 
for some positive constant c and some constant A. 
Let C :— c ■ maxo<t<tj,{e At }. Then 

\\x(t) - y(t)\\ <C\\x -y \\ for t e [0,t f ]. (13) 

Since ||x - Vo\\ < 8, \\x(t) - y{t)\\ < CS for all t £ [0,t f ]. 
This implies that any initial condition yo in Bs(xq) results 
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in a y(t) that lies in a CS neighborhood of TZt f (xo) for all 
t € [0,i/]. In particular, from property (ii) of Lemma [TJ it 
also follows that H tf (Bs(xo)) Q 1Zt f (xo,2CS). If we set 8 = 
e/(2C), then it is clear that Ut f (Bg(x )) C Kt f (x Q ,e). ■ 
Next we extend the result in Lemma|2]to show that there ex- 
ist a 5 > and a 7 > such that an over-approximation of the 
bounded reach set 1Z tf (Bs(x )), denoted as lZt f (Bs{x ),j), 



is also contained in 72.*, (xo,e) that is defined in (11 



Lemma 3. Given e > 0, a time bound T > 0, an initial state 
Xq, and a DTLHA A, there exist 8 > and 7 > such that 



TZt f (B s (x ),j) C Kt f (x ,e), 



(14) 



where TZ tf (Bs(xo),j) is a ^-approximation of lZt f (Bs(xq)), 
and tf is as defined in Lemma^ In particular, TZt f (xo) C 
7^/(# e /(4C)Oo),e/4) C TZ tf {x Q ,e). 

Proof: Let x(t; z) denote the solution at time t of the 
differential equation x(t) — Ax(t) + u with initial condition 
x(0) = z G Bs(xq). Now consider w € lZt f (Bs{x ),j). Then, 
by the definition of lZ tf (Bs(x )) and lZ tf (Bs(x ), 7), 

\\w — x(t; z)\\ < 7 

for some t G [0,tf] and z G Bs(xq). Hence 

\\w — x(t; xo)\\ — \\w — x(t; z) + x(t; z) — x(t;xo)\\ 

< \\w — x(t; z)\\ + \\x(t; z) — x(t; x )\\ 

< 7+ \\x(t;z) -x(t;x a )\\. 

From ( |13) , we know that 

- £U )|| < C\\z - x \\ < C8. 

Hence 

\\w - x{t;x )\\ <j + CS 

which implies that w lies in a (7 + CS) -neighborhood of 
TZ t , {xq)- From the property (ii) in Lemma fT] if we replace e/2 
with (7 + CS), then we have w € 1Zt } (xo72(7 + CS)) which 
in turn implies that lZ tf (Bs{xo), 7) C 72 t/ (xo, 2(7 + C<5)). 
So, given e > 0, we can choose 7 = e/4 and 5 — e/ (4C), and 
then TZ tf {B s (x ), 7) C 72 t/ (x , e). ■ 

C. Decidability of Discrete Transition Event 

Recall that t\ is the time t when a reached state cc(i) of a 
DTLHA starting from an initial state first exits the invariant 
set of an initial location. We now show that, for a given T, 
even though it is not known to be decidable to determine T\ 
exactly, we can still determine the event of exit of a reached 
state x(t) from the invariant set of an initial location if t\ < T. 

Lemma 4. Given a time bound T > 0, an initial condition 
(l a ,x Q ) e L x R", and a DTLHA A, if n < T, then for 
all small enough S > and for some small enough h > 0, 
B$(x(nh)) C (ItivqY for some n£N satisfying nh < T. 

Proof: Let n\ be an outward normal vector of dlnvg 
at x(ti). Since (±(Yi),ni) > by assumption, then by the 
continuity of the vector field of a linear dynamics in l n , there 
exists an r > such that for all z € 2?3 r (x(Ti)) n dlnvo, 
(i,ni) > where z :— Aqz + uq. Notice that ||i|| < v by the 



definition of v in |[9}. Let x(t; z) denotes the solution at time 
t of the differential equation x(t) = Aox(t) + uo with initial 
condition x(0) = z. Then for any z g B r (x(j\)) n dlnvg, it 
is guaranteed that x(t; z) £ (Invo) c for t e (0,2/i) for any 
h > satisfying < r/u. This implies that x(nh) G (Invo) c 
for some n G N. Moreover by compactness of Invo, there 
exists a S > such that Bg(x(nh)) C (Invo) c . ■ 
Now suppose that G Inuo for all < t < T + 9 for 
some 9 > 0. Then this fact can also be determined. 

Lemma 5. Suppose x(t) G Invo for all < t < T + 9 for 
some 9 > 0. 77zen /or a// small enough 8 > awof 7 > 0, 



72 tf (Bs{x ),j) C (Jn^o) 



(15) 



where tf := min{ri,T} = T. 

ZVoq/: Since x(<) G (Invo) for all < f < T, the result 
immediately follows from Lemma [3] ■ 



D. Over-approximation of Discrete Transition State 

For a given time bound T, suppose that the event n < 
T is determined for some 5 and /i as shown in Lemma |4] 
Then, to continue to compute a bounded e-reach set beyond 
an initial location, we need to determine (i) a new location to 
which a discrete transition is made from an initial location, 
and also (ii) an over-approximation of a discrete transition 
state from which the bounded e-reach set computation can 
be continued. We now show that these can be determined, 
if a discrete transition state x(ti) is deterministic and, more 
importantly, transversal, as defined in Definition [5] 

Lemma 6. Given t± < T, if x{t{) G dlnva satisfies a 
deterministic and transversal discrete transition condition, 
then there exists a S > such that B2s{x{ti)) C (/twoUTtovi) 
for some location l-y. Furthermore, there exists a A > such 
that 

(i) x(t) G (Invi)° for t € (n, t\ + A) , and 
(ii) 

|J x{ T ;y)c {Inv x ) for r€(0, A), (16) 

where x(r;y) is the solution at time r of an LTI system for 
the location l\ with an initial state y and J7o,i := Bs(x{ti)) n 
Invo n Inv\, 

Proof: Let Inv\ , Inv2 be invariant sets for some loca- 
tions li and I2 such that Invo n lnv\ n Inv^ ^ 0. Since 
x(t\) satisfies a deterministic discrete transition condition, if 
x(t\) G InvoDlnvi, then x(t±) $ Invo<~) Inv2. This implies 
that x(t%) <^ Inv2- Then by compactness of Invz, we know 
that there exists a 6' > such that B,5'(a;(Ti)) n Inv 2 = 0. 
Therefore, we conclude that Bs'(x(ti)) C Invo U Znui. 

Let Hi be an outward normal vector of dlnv^ at x(t\). 
Since x{t\) satisfies a transversal discrete transition condition 
from the location 1$ to the other location l\, we know that 
there exists a S" > such that for all x(t) G Bs>>(x(ti)) D 
Invo n Invi, (x(t),ni) > 0, where x{t) is taken as either 
Aox(t) + uo or as A\x{t) + U\, by the continuity of vector 
fields of the LTI dynamics for Iq and l±. 
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Let 8 = mm{5'/2,5"/2}, and A := S/(2v) where v is as 
defined in ([9j. Then by the definition of 5 and v, it is clear 
that (i) and (ii) hold for these choices of 8 and A. ■ 

In Lemma[6j ,7o.i is an over-approximation of x(t\) that is 
determined by taking a <5-ball around x(ti) for suitably small 
5 > 0, and intersecting it with Inv and Inv\. Once such a 
suitably small 8 is known, then the following lemma shows 
that it is also possible to determine a 8q -neighborhood of an 
initial state xq such that the reach set at time t\ of a DTLHA 
A from Bs (xo) is contained in Bs(x(t\)). 

Lemma 7. Given 8 determined by Lemma [6] there exists a 8q 
such that 

V Tl {B 5o {x ))<ZBs{x{ Tl )), (17) 

and V Tl (B$ Q (x Q )) n Inv n Inv\ is an over-approximation of 
x{t\) determined by 8q. 

Proof: This follows from the same argument used in the 
proof of Lemma [5] by choosing 8q = 8/C. ■ 
The next lemma shows that So for Bs {xq) can be deter- 
mined at each discrete transition time r k for k > 1. 

Lemma 8. Let 8 k be the radius of a ball centered at x(r k ) in- 
tersecting only Invk-i and Inv k , where T k is the k-th discrete 
transition time and Ik is the location after the k-th discrete 
transition. Then for any x(r k ) satisfying a deterministic and 
transversal discrete transition condition, there exists a <5o such 
that 

V Tk (B 5a (x ))CB Sk (x(Tk)), (18) 

where T> Tk (Bs (xo)) is the reached states of a given DTLHA 
A from B$ a (xo) at time r k . 

Proof: From the continuity property shown in Lemma [2] 
there is a S k -i > such that T>[ 0tTk _ Tk _ 1 ](B Sk _ 1 (x(T k -i))) 
C V [0iTk _ Tkl] (x{T k - 1 ),5 k ) for a given 4 where 
P[ 0iTfe _ Tfc _ 1 ](x(r fc _ 1 ), 8 k ) denotes a S k -approximation of 

2? [0,Tfc-T fc -i]( :E ( T fc-i))' Then for this it is clear 

that V Tk (B Sk _ 1 {x{T k ~i))) C B Sk (x(T k )). Using the same 
argument, we can find 5 k -2, 4-3, ■ • • ,5%. Then from Lemma 
[7] we know that there exists a 80 > such that V Tl (Bs (xq)) 
C S 5i (o;(ti)). Since T> T2 _ Ti (B Si (x(t 1 ))) C B &2 (x(t 2 )), we 
have T> T2 (Bs (x n )) C Bs 2 (x(t 2 )). This relation holds for 
each Ti where i — 1,2,- •• , k. Therefore, T> Tk (Bs a ( x o)) ^= 
BMr k )). M 
We now present our main result for the bounded e- 
reachability of a DTLHA. 

Theorem 1. Given e > 0, a time bound T > 0, a discrete 
transition bound N £ N, and a DTLHA A starting from an 
initial condition (Iq,xq) G L x R n , there exist 5 > 0, 7 > 0, 
and a sampling period h > satisfying h < j/v such that 

K tf (x ) QHt f {B s {x ),i) CKt f (x ,e), (19) 

where tf :— miri{Tjv, T} and is the time at the N-th 
discrete transition. 

Proof: Let Ci :— maxo<t<t / {e" j4i H*} for a location li e 
L and C := max;. g ]L{Ci}. For a given e > 0, suppose 5 k < 
e/(4C) at each r k up to tf where 5 k is as defined in Lemma 
[8] Then, from Lemmas |6j [7] and [8] we know that there exist 



a 6' > such that V Tk (Bs> {xo)) C Bg k (x(Tk)) where x(t) is 
the execution of a DTLHA A starting from xo at time zero. 
Furthermore, from Lemmas [4] and [6] there also exists h > 
and 5" > such that (i) h < A k and (ii) h and 8" satisfy 
Lemma [4] at every r k up to tf, where A& is the A that is 
defined in Lemma [6] for the k-th deterministic and transversal 
discrete transition. 

Let 8 := min{<5', 8"}. Then, with <5 and h, we can determine 
every discrete transition event and also construct an over- 
approximation of the discrete transition state as long as it is 
deterministic and transversal. Since i5 < 8', T> Tk (B$(xo)) C 
Bg k (x(T k )) at each r k up to tf. Thus, for any 7 > 0, 

V \Q,T*+ x ]( V Tk (^fao)), 7) C T> [0tT k + x ] {B Sk {x rk ),^) 

where r^ +1 := r k+1 - r k . 

Now, we notice that if 7 < e/4, then from Lemma [3] 

V [0,T^+ 1 ](' D rk(B S (xo)),l) C % T Hl,(3:(Tfc),e), 

for each up to tf, where the left hand side is a segment 
of lZ tf (Bs{xo),j) for [r kl T k+ i], and the right hand side 
is a segment of lZ tf (xo,e) for [r k , r k+ {\ that is defined as 
U^=o 1 B e {x{r k + nh)) where N k := \{r k+1 - T k )/K\. 

Furthermore, if h < j/v, then from (|9| replaced with e by 
7, it is clear that 

V [o,T k k + 1 ]( v r k ( x o)) C f[o, T Hi](I , T (! (Bi(a;o)),7)> 

where the left hand side is a segment of lZt f (xq) for [r^, Tfe+i]. 
Therefore, the result holds. ■ 

IV. Computing a Bounded e-Reach Set of a DTLHA 

From Theorem [T] we know that a set lZt f (Bs{ x o),j), 
a bounded e-reach set of a DTLHA, can be computed for 
some 8, 7, and h. In this section, we discuss how to compute 
TltfiBsixo),^). More precisely, we derive a set of condi- 
tions, based on the results in Section [HI] that are needed to 
correctly detect a deterministic and transversal discrete state 
transition event and also to determine whether the values for 
the parameters 8, 7, and h are appropriate so as to ensure that 
7Zt f {Bs(xo),-f) is a correct bounded e-reach set. Furthermore, 
later in this section, we extend these conditions to incorporate 
the numerical calculation errors caused by the finite precision 
numerical calculations capabilities. 

A. Conditions for Bounded e-Reach Set Computation 

We first note some properties that a set 7Zt f (Bs(xo),-f) 
needs to satisfy so that it can be considered as a bounded 
e-reach set of a DTLHA. 

Remark 1. Notice that any TZ tj (Bs{ x o),"f) that can be 
determined by (5, 7, and h in Theorem^ for a given e > 
needs to satisfy the following properties, 
(ij d H (lZt f (Bs(x ),j),TZ tf (x )) < e, 
(ii) lZ tj {B s (x ))) C Tlt f (Bs(xo), 7), and 
(Hi) d H (TZ tf (Bs(x ),^),Tlt f (Bs(xo))) < 7 

For given i5 and h, the following lemma shows how we can 
detect a discrete state transition event if there is one. 
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Lemma 9. Given a location l c and a DTLHA A if 

T> t -h(Bs(xo)) C (Inv c )° and T>t(Bs(xo)) C Inv^ for some 
5 > and h > 0, where B$(xa) is a 5-neighborhood of the 
initial state xq, then there is a discrete transition from the 
location l c to some other locations at some time in (t — h, t). 

Proof: Recall that V t (xo) denotes the reached state of A 
at time t from xq. Then it is clear that V t (xo) £ T> t (Bs{xo)). 
Similarly, T> t -h{xo) £ Uf-hiBsixo)). Hence, from the hy- 
pothesis, V t (xo) £ Inv^' and T> t _ h (x ) £ (Inv c )°. This 
implies that there exists r £ [t—h, t) such that T> s (xq) £ Inv° 
for s £ [t—h,r) and T> s (xq) £ Inv^' for s £ (r, t]. Therefore, 
there is a discrete transition at some time r £ (t — h,t). ■ 
Once a discrete state transition is detected, then, by Lemma 
[TOl we can check if it is deterministic or not. 

Lemma 10. Given an initial state xq and a DTLHA A 
suppose that there is a discrete transition from a location l c to 
some other locations at time t, i.e., T> t -h{Bs(xo)) C (Inv c )° 
and T> t (B$(xo)) C Inv^ for some 5 > and h > 0. Then the 
discrete transition is deterministic if there exists a location l n 
such that l n 7^ l c and T>t(B$(xc s )) C (Inv n )°. 

Proof: This follows from the definition of a deterministic 
discrete transition in Definition [5] ■ 
We now present conditions to determine the transversality 
of a discrete state transition; this is more complicated than 
those in previous two lemmas. The main idea of the conditions 



in the following Lemma 11 is that (i) S and 7 have to be 
small enough so that every state in an over-approximation 
of a deterministic and transversal discrete transition state, 
which can be computed by 5 and 7, is also deterministic and 
transversal, and also (ii) the sampling period h should be small 
enough so that any reached states right after a discrete state 
transition can be captured correctly. 

Lemma 11. Given 7 > and h > satisfying h < 
j/v, suppose that there is a deterministic discrete transition 
from a location l c to another location l n at time t, i.e., 
V t - h (Bs(x )) C (Inv c )° and V t (B s (x )) C (Inv n )° for 
some 5 > and h > 0. Then for any e > 0, the discrete 
transition is transversal if the following conditions hold: 

(i) h < {dia{J c>n )/2)/{2v), 

(ii) V (J cn ,dia{J c . n ) /2) c (Inv c U Inv n ), and 
(Hi) (x c , ri c ) > e A (x n , ri c ) > e, Vie V(J c ' n ), 

where J c , n := V t (Bs(x ),j)nlnv c nlnv n , J' := 2? (Jc,n, 
dia(J c<n ) /2)nlnv c nlnv n , v is as defined in V(V) is a set 
of vertices of a polyhedron V, n c is an outward normal vector 
of dlnv c , and ii is the vector flow evaluated with respect to 
the LTI dynamics of location li £ L. 

Proof: Notice that V t -h{B&{xo)) C T> t (Bs(xo), 7) since 
7 and h satisfy h < 7/u. In fact, \J zeVt _ h{Bs (xo)) x(r; z) c 
T>t (Bs(xq), 7) for r £ [0,h] where x(t;z) :— e AcT z + 
Jo eAcl>u cds under the LTI dynamics of the location l c . 
Since T> t -h{xo) & V t -h,{Bs{x Q )) and T> t (x ) £ T> t (B s (x )), 
V T i(xo) £ J Ct7l for some r' £ (t — h,t) where V T >(xo) 
is a discrete transition state from l c to l n at time r 1 . Thus 
Jc,n 7^ (more precisely, J° n ^ 0) and it is in fact an over- 
approximation of the deterministic discrete transition state 



x T i £ Inv c n Inv n . 

If (ii) and (iii) hold, then it is easy to see that z' satisfies 
the deterministic and transversal discrete transition condition 
in Definition [5] for any z' £ Jen- Now we suppose (i) holds 
and let x(h; z) is the state reached from z at time h under the 
LTI dynamics of the location l n , then, for any z £ J C:U , 

\\x(h; z) - z\\ <vh< dia{J c<n ) /2. 

If we now consider the fact that dia(J' cn ) > 2 • dia(J c _ n ), 
then it is easy to see that x(t; z) £ Inv° n for r £ (0, h). Since 
z £ Jen is arbitrary, we conclude that 

V T {J c . n ) £ Inv° n 

for all r £ (0, h). Thus, the discrete transition state T> t (x^) £ 
Je n is transversal and it can be determined through J c n with 
h satisfying (i). ■ 



B. Finite Precision Basic Calculations 



Notice that the results in Section IIV-AI are based on the 
assumption that the following quantities can be computed 
exactly: 



x{t;x ) 



Xq + J" 



As 



uds. 



• H n V, where % is a hyperplane and V is a polyhedron. 

• hulliy), where hull(V) is the convex hull of V that is a 
finite set of points in W 1 . 

However, these exact computation assumptions cannot be sat- 
isfied in practice and we can only compute each of these with 
possibly arbitrarily small computation error. Therefore, instead 
of assuming exact computation capabilities for x(t; Xo), T-LCXP, 
and hull(y), we now assume that the following basic calcu- 
lation capabilities are available for approximately computing 
these quantities, and it only these that we can use to compute a 
bounded e-reach set. More precisely, we assume that for given 
fi c > and fih > 0, 

• o(HnP,/i c ) and a(hull(V) , Hh) 

are available such that dn(x, a(x,y)) < y, where a(x,y) 
denotes an approximate computation of x, with y > as an 
upper bound on the approximation error. We also assume that 
for given <r e > and a t > 0, 

• a(e At ,cr e ), and a(J Q e Ar dr,ai) 

are available as an approximate computation of x(t; xq) such 
that \\x— a(x, y)\\ < y. Notice that from these basic calculation 
capabilities for x(t;Xo), we can compute a(x(t; xq), fi x ) with 
an approximation error denoted as fi x , which is upper bounded 
by a finite value as shown below. 

We first note that, for all approximate computations a(x, y) 
that are used for computing x(t; xq), we have 



x - y ■ l„ xm < a(x, y) < x + y ■ l r 



(20) 



where x £ R nxm and l nxm is an n by m matrix whose every 
element is 1, and the inequalities hold elementwise. With this, 
an upper bound of fi x can be derived as follows: 



< a(e A \a e ) < e At + a e ■ 1 



IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. , NO. , MONTH YEAR 



8 



Similarly, 



/ e As ds - a, ■ l nxn <a([ e As ds, a*) 
Jo Jo 



.As, 



Hence, we have 

x(t; x ) - S x < a(x(t; x ),S x ) < x(t; x ) + 5 X , 

where S x := (cr e \x \ + (Ti\u\) ■ l„xi- 

Now, we know that fi x is upper bounded by the maximum 
of \S X \ over the continuous state space X and the control input 
domain U, 

fi x < max \S X \. (21) 

C. Conditions for Computation under Finite Precision Calcu- 
lations 

In this section, we extend the results in Section [IV-A| to de- 
rive a set of conditions for a bounded e-reach set computation 
of the DTLHA under finite precision numerical calculation 
capabilities. The following remark is an immediate extension 
of Remark Q] in Section IIV-AI 

In the sequel, for simplicity of notation, we use x to denote 
a(x, p) for a given approximation error bound p > 0. 

Remark 2. Let IZ^, (Bg(xo), 7) be an approximation of 
T^-tf (Bg(xo), 7) that is determined by 5, 7, and h in Theorem\l\ 
and approximate calculations for x(t; Xq), HDV, and hull(vj 



defined in Section \IV-B Then, for a given e > 0, it is sufficient 
for lZt f {t3s(xo),j) to be a bounded e-reach set of a DTLHA 
A if the following properties hold. 

(i) d H (JZ tf (Bs(x ),~f),llt f (x )) < e, 

(ii) K tf (B s (x ))) C Kt f (Bs(x Q ),i), and 
(Hi) d H (n tf (B s (x ),^),TZ tf (Bs(x ))) < 7. 

Next, we discuss how the relation between h and 7 can be 
modified so as to satisfy (ii) and (iii) in Remark [2] when there 
is numerical calculation error in computing x(t;xo). 

Lemma 12. Given a DTLHA A and its reached state x(t) at 
time t starting from an initial condition x(0), let p > be an 
upper bound on the approximation errors such that \\x{t) — 
x(t) || < p. If a given sampling period h satisfies h < (7— /o)/w 
for a given 7 satisfying 7 > p, where v is as defined in ([PJ, 
then the following property holds at any location l{ G L of A: 



x(t + r) C B 7 (x(t)), Vr G [0,h], 
where x(t + r) 



(22) 



e AiT x(t) + /J" e AiS Uids. 



Proof: Since ||a;(t) - x(t)\\ < p, x(t) G B p {x{t)). 
Moreover, from (|8j, we know that for any x(t) G X, 

r-t+r 

max ||a;(t + r) — x(t)\\ < max / ||i(s)||ds 



re[0,h] 



< 



re[0,h] J t 

vh. 



Hence, if h < (7 — p)/v, then, for any x(t) G X, 
max \\x(t + t) — x(t)\\ < 7 — p. 

T£[0,h] 



This means that x(t + r) G B 1 - P {x{t)) for t G [0, h] 
Therefore, for r G [0,h], 



\\x(t)-x(t + r)\\ 



Thus \\x(t) -x(t + r)\\ 



||i(t)-a:(t)|| + ||a;(t)-a:(t + T)|| 
P + (7- P)- 
< 7. I 



Notice that Lemma 12 says that if h < (7— p)/v for a given 
p > 0, then a 7-neighborhood of a sampled state is indeed an 
over-approximation of a trajectory over the time interval h. 
We now extend the result in Lemma Q~2] to the case where we 
need to compute a 7-approximation of a polyhedron. 

Lemma 13. Given a DTLHA A and its reached states 
T>t(Bs(xa)) at some time t from initial states in Bs{xq), let 
p > be an upper bound on the approximation errors such 
that dH{D t (Bs(xo)),'Dt(Bs{xo))) < p. If a given sampling 
period h satisfies the following inequality 

7- P 



h < 

v 

then, for a given 7 satisfying 7 > p, 



(23) 



Vre[0,/i], (24) 



where V t (Bs{xv), 7) is a ^-approximation oft> t (Bs(xo)) that 
is constructed as the convex hull of the set of extreme points 
of a polyhedral "/-neighborhood of all vertices qfD t (Bs(xo)) 
and v is as defined in 

Proof: Let V and V be the set of extreme points 
of T> t (Bs(xo)) and T> t {Bs(x Q )), respectively. Since 
d H ('Dt{Bs(xQ)),'D t (Bs(xo))) < p and 7 > p, it is clear that 

we know that 



12 



V t (Bs(x )) C V t (Bs{x ),j). From Lemma 
for each x(t) G V, x(t + r) C B 7 (5) for all r G [0, h) where 
x G V corresponding to x(t). Let Vt+ T be the set of extreme 
points of T> t+T (Bs{x )). Then V t+T C V t (Bs(x ),j) for all 
r G [0, h] since (i) for each x(t) G V, x(t + r) C B~{x) for 
all r G [0, h] and (ii) from the construction of T) t (Bs(xo),j), 
B 1 (x) C T> t (Bs(xo), 7) for each ieV. Therefore, the convex 
hull of V t+T , which is T) t+T (Bs(xo)), has to be contained 
in V t (Bs(xo),j) for all r G [0,h] since Vt{Bs{xn), 7) is 
convex and Vt+ T C D t (Bs(xo), 7) for all t G [0, h]. ■ 
For (i) in Remark [2] Lemma [14] below shows that the 
diameter of a set T>t(Bg(xo), 7) has to be smaller than a given 
e > 0. 

Lemma 14. Given e > 0, S > 0, 7 > 0, p > 0, ant/ a 
DTLHA A, su ppos e a given sampling period h > satisfies 
the inequality {23 L 77ze« f[t,t+/i] (2:0) C (Bs^q), 7) anc/ 



d ff (X' t (B5(a;o),7),I>[t,t + / l ](a;o)) < e, if the following hold: 
dia(T>t(Bs{x ),j)) <e, (25) 

where P[t,i+w (a;o) is ^ 0/ reached states of A starting 
from xq during the time interval [t,t + h\. 

Proof: Since /i satisfies ( |23] >, it is trivial to see that 
^It.t+^C^o) C f> t (B s (x ),j) holds from Lemma 
over, if ( 25 1 is also true, then for any z G T> 

max 



13 



More- 

[t,t+h](xo), 



-y&V t (B s (x ), 7 )\\y ~ 4 ^ e Since z e V t (Bs{x ),"f). 

Therefore, it is clear that d H ('Dt(Bs(xo), 7), V[ t}t+h ](x )) < e 
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if (|23]> and (g5J hold. ■ 
Now we can extend the results of Lemmas |9j [TUJ and [TT| to 
incorporate a numerical calculation error p > 0. 

Lemma 15. Given p > 0, a location l c , and V t (Bs{xo)) at 
time t, if 

(i) Vt-h(Bs{xa), p) C (Inv c )°, and 

(ii) V t (B s (x Q ),p) C Inv° 

for some 8 > and h > 0, then there is a discrete transition 
from the location l c to some other locations. 

Proof: Notice that d H (V t (B s (x )),V t {Bs{x ))) < p, 
which implies T> t (B$(x )) C T> t (Bs(x a ), p). Similarly, 
V t - h (Bs(xo)) C T> t -h(Bs(x ),p). Hence if (i) and (ii) hold, 
then it is clear that T> t (Bs(x Q )) C Inv^ and T> t -h(Bs{xo)) C 
(Inv c )°. Then the result follows from Lemma [9] ■ 

Lemma 16. Given p > 0, a location l c , and T> t (Bs{xo)) at 
time t, suppose that a discrete transition from a location l c to 
some other locations is determined as in Lemma [75] Then the 
discrete transition is a deterministic discrete transition from 
l c to l n if there exists a location l n such that l n ^= l c and 
V t {B s (xo),p)c(Inv n )°. 

Proof: Notice that V t -h(Bs(x )) C {Inv c )° from the 
result in Lemma 



15 



_ Since V t {B s (xo)) C V t (B 5 (x ), p), if 
V t (B s {x Q ),p) c (Jnw n )°, then V t (B s (x a )) c (Inv„)°. Thus 
by Lemma [10] the conclusion holds. ■ 

Lemma 17. Given p > 0, 7 > and h > satisfying 
\23\ , suppose that a deterministic discrete transition from a 
location l c to an othe r location l n is determined as in Lemma 
15 and Lemma 16 i.e., T> t _f l (Bs(xQ), p) C (Inv c )° and 
T) t {Bs{xif), p) C (Inv n )°. Then, for any e > 0, the discrete 
transition is transversal if tlie following conditions hold: 

(i) h < (dia(J c ,n)j2)/(2v), 

(ii) T> (J cni dia(J cn ) /2 + p) C (Inv c U Inv n ), and 
(Hi) (x c , n c ) > e A (x n , ri c ) > e, Vi £ V(J^ n ), 

where J c ^ n := T> t (B&(xq), 7 + p) n Inv c n Inv n , J' c n := 
1^o(Jc,n, dia(J c , n )/2 + p)nlnv c n Inv nr V t (Bs(xa), 7 + p) 
is a (7 + p) -approximation ofT> t (Bs(xo)), and ii and ri c are 
as defined in Lemma \11\ 

Proof: Notice that V t (B s (x Q ),j) C t> t {B s (^)^ + p). 

and J c ,n, 
by the 
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Then, by the definition of J c<n given in Lemma 
we know J c n C J c , n - Hence, J c n =t since J c n ^ 
construction of J c ^ n . Now if (i) holds, then it is easy to see that 
£>r(Jc,ri) C V (J c ^ n , dia(J c , n ) /2) for r e (0, h). Moreover, 
(ii) and (iii) imply that T) T (Jc,n) is in fact contained in lnv° n 
for r G (0, h). m 

V. Architecture and Algorithm for Bounded 
6-Reach Set Computation of a DTLHA 

We are now in a position to propose an algorithm for 
bounded e-reach set computation of a DTLHA. Before proving 
its correctness, we first describe its architecture. 

For flexibility, we decouple the higher levels of the algo- 
rithm, called Policy, from the component, called Mechanisms, 
where specific steps of calculations are performed through 



Policy 



System 
Description 



<-H Data 



Numerics 



Mechanism 



Fig. 3. An architecture for bounded e-reach set computation. 



some numerical routines. The proposed architecture of the 
algorithm, shown in Fig. [3] consists of roughly five different 
components Policy, Mechanism, System Description, Data, 
and Numerics. A more detailed explanation of each of these 
modules is given below. 

The System Description contains all information describing 
a problem of a bounded e-reach set computation of a DTLHA. 
This consists of X, the domain of continuous state space, a 
DTLHA A, and an initial condition (/ n ,^o) € L x X. Also, 
an upper bound T e M. + on terminal time, an upper bound 
N G N on the total number of discrete transitions, and an 
approximation parameter e > 0, are described. A bounded 
e-reach set of a DTLHA A is computed in the Mechanism 
component based on a given set of numerical calculation 
algorithms in Numerics, as well as a given Policy, which 
captures some of the higher level choices of the algorithm's 
outer loops. In the Data component, all computation data 
that is relevant to a computed bounded e-reach set, generated 
on-the-fly in the Mechanism part, are stored. Each of the 
functions in Numerics is in fact an implementation of some 
numerical computation algorithms. As an example, e At can 
be computed in many different ways as shown in [15| and 
each of the different algorithms can compute the value with a 
certain accuracy. Here we assume that a set of such numerical 
computation algorithms for basic calculations are giverj^] and 
the corresponding approximation error bounds, i.e., er e , er,;, p c , 
and ph, are known a priori. The Policy component represents 
a user-defined rules that choose appropriate values of the 
parameters, especially 8 > 0, 7 > 0, and h > 0, which are 
needed to continue to compute a bounded e-reach set of a 
DTLHA, when a bounded e-reach set algorithm in Mechanism 
fails to determine some events or to satisfy some required 
properties, during its computation. The Mechanism component 
represents the core of the bounded e-reach set algorithm based 
on the theoretical results in Section fTTTl and ITVl and is detailed 



in Section V-A Given values for parameters 5 > 0, 7 > 0, 



and h > 0, it computes a bounded e-reach set of a DTLHA A 
until it either successfully finishes its computation or cannot 
make further progress, which happens when some required 

2 In this way, we decouple the low-level numerical calculations from 
our bounded e-reach set algorithm. This is the reason why the Numerics 
component is represented separately from the Mechanism component. 
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conditions or properties are not met. Notice that, as stated in Algorithm 2: A function Post () 



Section IV there are a set of conditions and properties that 
a computed set needs to satisfy to be a correct bounded e- 
reach set. If the algorithm fails to resolve a computation, then 
it returns to Policy indicating the problems so that a user- 
defined rule in Policy can choose another set of values for the 
parameters to resolve the problems. Every computation result 
is stored in the Data component to be possibly used later in 
Policy and Mechanism. 

A. Core Algorithm for Bounded e-Reach Set of a DTLHA 

An algorithm to compute a bounded e-reach set of a 
DTLHA is proposed and shown in Algorithm[T] Let fc indicate 
a computation step of the algorithm from which the proposed 
algorithm starts its bounded e-reach set computation. All 
computation history up to the (fc — l)-th computation step is 
stored as data, called Reached, in Data part. Then, given an 
input (fc, 5fc, 7fc, ftfc) from Policy, the algorithm first retrieves 
the computation data at the (As — l)-th computation step from 
Reached and starts its fc-th computation step using this data. 
As shown in Algorithm [T] the algorithm continues its com- 
putation until it either (i) returns done when it successfully 
finished to compute a bounded e-reach set or (ii) returns 
error when it encounters some erroneous situations during 
the execution of a function, called Post ( ) . If the algorithm 
returns an error, it also indicates the cause of the error 
so that a user-defined rule in Policy can choose appropriate 
values for the input parameters. 

Algorithm 1: An algorithm for bounded e-reach set com- 
putation of a DTLHA. 

Input: fc, S k ,^k,h k from Policy 
compute p, x from (o ei Oj) 

while true do 

get data at (fc — l)-th step from Reached 
if S k ^ 4-i then 

compute T>t k _ 1 {Bs k (xo)) 
update pk-i 

end 

tk <— tk-i + hk 
call Post ( ) 

store fc-th computation data into Reached 
fc <- k + 1 

if (tk >T)V (jump > N) then return done 

end 



In the proposed algorithm in Post (), T>t h {Bg k (xo)) is 
computed from T> tk _ 1 (Bs k (xo)) as follows: 

Given a polyhedron t> tk _ 1 (Bs k (xo)), we first compute the 
set of the vertices of T>t k _ 1 (Bg k (xo)) that is denoted as V. 
Then for each 6 V, we compute 



Vi(h k 



e Akhk vi 



^A k s 



Ukds 



Input: h k , 7fc , h- 1 , pk- 1 , A fc _ t {Bg k (x )) 

compute Vt k (Bs k (x )) from f> tk _ 1 {Bs k (x )) 
compute t>t k (B Sk (x Q ),j k ) from t> tk (B Sk (x Q )) 
update p k <- Pk-i + Px 

if hk > [ik — Pk)/v then return error 

if dia(Vt k (Bs k (x ),^k)) > e then return error 

if V tk (Bs k (x )) n Inv{l k -i) = then 
it V tk ^{Bs k (x )) C Inv(l k -i)° then 

if deterministic A transversal then 
update T>t k (B Sk (x Q )) and V tk (B Sk (x ), Ik) 
update p k <- pk + P-x + Pc + Ph 
update Ik 
jump <— jump + 1 
else return error 

end 

else if V tk (Bs k (x )) £ Inv{l k -i)° then 
I return error 

else l k <- h-i 



at the fc-the computation step in Algorithm [T] If we let V/, := 

{vi(hk) : Vi € V}, then we can compute V tk {Bs k (x )) as 
follows: 

f> tk (B 5k (x )) :=hull{V h ) 

where hull(Vh) is the convex hull of V/j. 

Once we have V tk {Bs k (x Q )), we compute V tk (B Sk (x ),j k ) 
in the following way. To compute t> tk (Bs k (xo),^fk) for a 
given 7^, we first construct a hypercubic j k -neighborhood 
of Vi(hk) for each V{(hk) € Vh- Let B lk (vi(hk)) be such 
a 7^ hypercubic neighborhood of Vi(hk) and be the set 
of vertices of B lk (vi(hk)) for all Vi(hk) G V^. Then we can 
compute V tk (B Sk (x ),jk) as follows: 



V tk (B Sk (x ), lk ):=hull(VZ). 



(26) 



This process of polyhedral image computation under a 
linear dynamics is illustrated in Fig. |4] We now show that 
^tfc (Bs k (xq), 7fe) that is computed as in (26 1 is indeed a 7^- 



approximation of V tk (Bs k (x )) for a given j k - 



V tk (B Sk (x )) 





where A k and Uk are given by the linear dynamics of a location 
lk on which the linear image of t> tk _ 1 (Bs k (xo)) is computed 



V tk (B Sk (x ),7fe) 

Fig. 4. The image computation under a linear dynamics. 
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Lemma 18. Let % be the convex hull ofV^. Then % is exactly 
the closed ^-neighborhood of the convex hull of Vh- 

Proof: Suppose w G H and w £ hull(Vh)- Then w = 
Xyi + (1 — \)i/2 for some yi and y~2 such that \\y~i —Vi\\ < 7 
and 1 1 2/2 — ^2 1 1 < 7 for some vi,V2 G Vh and < A < 1. Then 
there exists v = Xvi + (1 — X)v2 G hull(Vh) such that 

\\w-v\\ = ||A(y 1 -u 1 ) + (l-A)(y 2 -« 2 )|| 

< A||yi-«i|| + (l-A)|||/2-?;2|| 

< 7- 

Thus w is in the 7-neighborhood of the convex hull of Vh- 

For the converse, consider z in the 7-neighborhood of the 
convex hull of Vh- Then for some A^ > 0, J^i = 1' 11^ — 
J2i ^iVi(h)\\ < 7, where m(h) G V h - Let s := z-J^i ^i v i(h). 
Now z = ^2n\{vi{h) + s). So z is in the convex hull of 
{vi(h) + s}. However each Vi(h) + s € B 7 (vi(h)). Hence each 
Vi{h) + s is in the convex hull of the vertices of B 1 (vi(h)) 
which is H. Thus z is in W. ■ 
Notice that the first update of pk in P o s t ( ) is due to the 
computation of V tk {Bs k (xo)) from r D tk _ 1 {B$ k (xq)) over the 
time interval hk under the linear dynamics of lk-i- The second 
update after a deterministic and transversal discrete transition 
is due to a series of computations from t> tk (Bs k (x )) that 
is used to determine such a discrete transition to a new 
T> tk (Bg k (xq)) that represents a reached states at time tk 
right after a deterministic and transversal discrete transition. 
As described in Lemma [17] the steps involved during this 
discrete transition are to compute (i) J C:1l from T) tk (Bs k (xo)) 
and (ii) T>h k {J c .n) from J c , n . Notice that (i) requires an 
intersection between a hyperplane and a polyhedron as well 
as a convex hull computation. Moreover, for (ii), we need to 
compute a polyhedral image under the linear dynamics of a 
new location that is determined in Post () . Recall that we 
have derived a set of conditions in Lemmas [15] [16] and [17] to 
determine a deterministic and transversal discrete transition 
event. These conditions are used in Post () to determine 
such an event. Furthermore, we also use conditions derived 
to ensure that a set it tf (Bs(xq), 7), 



in Lemmas 



13 



and 



14 



which can be constructed as a collection of V tk (Bs k (xo), 7fc) 
as shown in the following theorem, satisfies the properties 
given in Remark [2] 

Now, we present our main result for the problem of com- 
puting a bounded e-reach set of a DTLHA. 

Theorem 2. Given input (X , A, Io,xq, T, N, e) for a problem 
to compute a bounded e-reach set of a DTLHA A, if Algorithm 
[7] returns done, then a bounded e-reach set of a DTLHA A 
defined over the continuous state domain X starting from an 
initial condition (Io,xq) G L x R™, denoted as lZt f (xo,e), is 
the following: 

K 

K tf (x , e) := |J V tk (B Sk (x ), j k ), (27) 

k=l 

for some K G N where tf := min{T, rjv} and tn is the time 
at the N-th discrete transition. 

Proof: For each k < K, (i) jk,hk, p k satisfies Lemma 



13 and (ii) T> tk (Bs k (xo),"fk) satisfies Lemma 14 Hence 
T> tk (Bs k (xo),'fk) is guaranteed to satisfy V[ tit+h ](x ) C 

A fc (%(^o),7fc) and d H (Vt k (Bs k (x ),'yk),'D[t,t+h](xo)) < 
e. Furthermore, if a deterministic and transversal discrete 
transition is detected at the k-th step by T> tk (Bs k (x )), then 



(iii) by Lemmas 15 16 and 17 there is in fact a deterministic 
and transversal discrete transition in (tk-i,tk)- This implies 
that a deterministic and transversal discrete transition event is 
correctly determined. Finally, if the proposed algorithm returns 
done, then this implies that (iv) either tk > T or jump > N. 
Hence, tf is min{T, t^}. Therefore, TZ t} is a bounded e-reach 
set of A from xq by (i), (ii), (iii), and (iv). ■ 

VI. Optimization and Implementation of the 
Proposed Algorithm 

A prototype software tool has been implemented, based on 
the architecture and the algorithm proposed in Section [V] to 
demonstrate the idea of a bounded e-reach set computation. In 
our implementation, we use the Multi-Parametric Toolbox ifTBI 
for polyhedral operations and also use some built-in Matlab 
functions for other calculations. 

Notice that the size of the T> t (Bs(xo)) right after a discrete 
transition increases roughly by the amount 7 through the 
computation of j c ,n- This can potentially affect the capability 
to determine a discrete transition event. Hence, we determine 
a smaller value of 7 to construct a tighter over-approximation 
of a discrete transition state. Suppose that a discrete transition 
from a location U to some other location lj has already 
been determined by the proposed algorithm for given h > 0, 
T> t -h(Bs(xo), p), and T)t(Bs(xo), p) at some time t. Then the 
procedure for construction of a tight over-approximation of a 
discrete transition state x(rk) for some Tk G (t — h,t) can be 
improved shown in Algorithm [3] 

Algorithm 3: A procedure to compute a tight over- 
approximation of discrete transition state. 

1. Partition the time interval [t — h, t) into a finite 
sequence of {I m }m = i for some M G N, where 

I m :=[t-h+ (m - 1) ■ Ah, t-h + m- Ah] 

for some Ah <C h. 

2. Find a time r := t — h + m ■ Ah G [t — h, t) such that 
• volume{V^.) > volume(V-l) and 

. volume{V l T+Ah ) < volume(V J T+Ah ), 
where V? := Inv k fl V t {B s {x Q ), p). 

3. Construct T> T+ Ah(Bs(x n ) 1 7' + p) where 7' > Ah ■ v. 

4. Compute an over-approximate discrete transition state 

J it j := V T+ Ah{Bs(x ),j' + p) n Invi H Invj. 



A. An Example of Bounded e-Reach Set Computation 

As an example to evaluate the proposed algorithm for a 
bounded e-reach set computation of a DTLHA A, we consider 
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Fig. 5. A bounded e-reach set of a DTLHA A starting from (Up, [2.5, 6] T ). 



an LHA A :— (L, Inv, A, u, — >) over a continuous state space 
X := [-8, 8] x [-8, 8] C M 2 where 

(i) L = {Up, Down, Left, Right}, 

(ii) A(l) and u(l) for each location I € L are defined as 
shown in Table [I] 

(iii) The invariant set for each location I £ L, Inv(l), is 
defined as shown in Fig. B] and 

G 

(iv) — > holds at the intersection between invariant sets of 
different locations. 

Notice that all the LTI dynamics defined in the given LHA 
A are asymptotically stable. Moreover, from the the vector 
fields determined by A(l) and u(l) for each I e L, every 
discrete transition which occurs along the boundary of the 
invariant set between different locations is deterministic and 
transversal. Hence the given LHA A is in fact a DTLHA. 

TABLE I 

A(l) AND u(l) FOR EACH leLOFi 




The bounded e-reach set computation problem is specified 
by (A, l , x , T, N, e) where l = Up, x = (2.5, 6) T , T = 20 
sec, N = 10, and e = 0.5. 

In this example, we also assume that numerical calculation 
algorith ms ar e available for basic calculations defined in 
Section 



IV-B 



such that a(e At ,p), a(J Q e Ar dr,p), a{1iC\V,p), 
and a(hull{V), p) where p is specified as 10~ 15 . 

A policy that is used to choose values for (k, 8k, 7k, hk) is 
as follows: 



(i) k is chosen in non-decreasing manner, 

(ii) 5k '■= 10 -5 to define a fixed sufficiently small Bs(xo), 

(iii) 7 fc := (e - dia(V tk (B Sk (x ), p fe )))/2, and 

(iv) hk ■= (7fc/2)/u where v is as defined in d9V 

Notice that (i) means that whenever the proposed e-reach 
set algorithm fails to continue its computation at the fc-th 
computation step, then the policy decides to restart the com- 
putation from the fc-th step with different values of the other 
parameters. Recall that pk denotes the approximation error of 
T> tk (Bs k (x )) when the algorithm computes V tk (Bs k (x )) at 
time ffc. As shown in (iii), for a given e, the policy chooses 
the largest value of jk at each computation step. The equation 
for 7*. given in (iii) can easily be derived by considering 

dia(V tk (B Sk (x ),^k + Pk)) < dia(T> tk (B Sk (x ), Pk)) + ^lk- 

If we upper bound the right hand side by e, then we have (iii). 

Fig. [5] shows the computation result. As shown in Fig. [5] a 
bounded e-reach set is successfully computed. In this example, 
the algorithm terminates at the computation step k = 2259 
right after the algorithm makes the tenth discrete transition 
from locations Left to Down at the time t = 12.1415 sec. 
and jump = 10. For given p := 10 -15 , the accumulated 
numerical calculation error pk for T> tk (Bs k (xq)) at this termi- 
nation time is 2.5638 x 10~ n . 

VII. Conclusion 

We have defined a special class of hybrid automata, 
called Deterministic and Transversal Linear Hybrid Automata 
(DTLHA), for which we can address the problem of bounded 
e-reach set computation starting from an initial state. For this 
class, we can also incorporate the impact of numerical calcu- 
lation errors caused by finite precision numerical computation. 

It is of importance to determine more general and useful 
models of hybrid systems that permit computational verifica- 
tion of safety properties. Hybrid linear systems that incorporate 
linear models widely employed in control systems are a natural 
candidate around which to build such a theory of verification 
and validation. 
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